Announcement

Collapse
No announcement yet.

A New Round Of OpenSSL Vulnerabilities Discovered

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • A New Round Of OpenSSL Vulnerabilities Discovered

    Phoronix: A New Round Of OpenSSL Vulnerabilities Discovered

    Further fallout from the Heartbleed bug has occurred with another set of security vulnerabilities now being disclosed for OpenSSL...

    http://www.phoronix.com/vr.php?view=MTcxMTI

  • #2
    Brace yourself

    ... HPSB (Hewlet-Packard Security Bulletins) are comming!

    Last time (Heartbleed) i counted 66 on bugtraq

    Comment


    • #3
      I wonder how long the NSA has known about these...

      Comment


      • #4
        So, can we put to bad the argument of "OSS is by nature more secure" argument now?

        Comment


        • #5
          Originally posted by gamerk2 View Post
          So, can we put to bad the argument of "OSS is by nature more secure" argument now?
          Not at all.
          If so many vulnerabilities are to be found in an open piece of software like openssl, I do not dare to think what happens in the heart of a proprietary package...
          Last edited by Apopas; 06-05-2014, 12:39 PM.

          Comment


          • #6
            Originally posted by gamerk2 View Post
            So, can we put to bad the argument of "OSS is by nature more secure" argument now?
            A closed source project with as many developer as OpenSSL (ie, very small project), would never have ended up in as much machines as OpenSSL did, even if it was free. Mostly because it would be neither auditable nor accountable, in other word, in a sense, too insecure.
            As such, it's quite difficult to reach a comparative conclusions when comparable non-OSS projects don't exist.

            Comment


            • #7
              Originally posted by gamerk2 View Post
              So, can we put to bad the argument of "OSS is by nature more secure" argument now?
              So you'd say a proprietary tls implementation would fix such bugs earlier?

              Comment


              • #8
                Originally posted by arabek View Post
                ... HPSB (Hewlet-Packard Security Bulletins) are comming!

                Last time (Heartbleed) i counted 66 on bugtraq
                Haha, classic

                Comment


                • #9
                  Originally posted by gamerk2 View Post
                  So, can we put to bad the argument of "OSS is by nature more secure" argument now?
                  Have you ever looked at BIOS code? Because if you had, that would've told you that at the other end of the openness spectrum things are unbelievably broken.

                  Proprietary software will be somewhere between open source and BIOS code.

                  Also, have you ever looked at vendor driver code?

                  If you had done any of those two above, you would never have dared state what you just stated.

                  Comment


                  • #10
                    Originally posted by gamerk2 View Post
                    So, can we put to bad the argument of "OSS is by nature more secure" argument now?
                    LOL. This report is actually an example of why open source is more secure. You have here multiple independent developers looking at the source and reporting bugs, and helping fix them. Would the same be possible with a ssl blob?

                    Comment


                    • #11
                      Originally posted by log0 View Post
                      LOL. This report is actually an example of why open source is more secure. You have here multiple independent developers looking at the source and reporting bugs, and helping fix them. Would the same be possible with a ssl blob?
                      There's that, and if it's open source, used widely enough, and you screw up as badly as openSSL has, Theo will come and fork your project to fix all of it's brain damage.

                      Comment


                      • #12
                        Originally posted by gamerk2 View Post
                        So, can we put to bad the argument of "OSS is by nature more secure" argument now?
                        You need to learn three things about computer security:
                        1) Just because someone slapped a "secure" label on something doesn't mean it's secure - whether it's open-source or proprietary.
                        2) If security was a boolean it would always evaluate to false. "More secure" doesn't mean "100% secure". And nothing is 100% secure. The question is the price of a successful attack in terms of money (computing resources), time and effort. If it's too costly it'll almost never happen. And almost never is considered good enough.
                        3) Heartbleed is overrated. It's just a bug, one out of many, that got blown way out of proportion by journalists. No security expert has ever seriously believed SSL to be impenetrable. But when the alternative is using plain text for credentials and unencrypted streams for data, it's a no-brainer that SSL is better than nothing.
                        Last edited by prodigy_; 06-05-2014, 02:24 PM.

                        Comment


                        • #13
                          Looks like real time chat is biggest exploitable use of this against end users

                          I looked at these, it looks like most of these are denial of service attacks, but one permits forcing the use of weak keys in https traffic and another permits arbitrary code execution against a machine engaged in real time chats (DTLS seems to be used mostly for this sort of thing according to what I could quickly dig up).

                          If you don't do realtime chat and rely on GPG when you need strong encrption, this won't likely hurt you. I only trust https to keep my ISP and various wifi hotspots from logging copies of my work, I do NOT trust it against the NSA or even the FBI as it has too high a target profile.

                          Never bank online with any computer, never shop online except with prepaid credit cards whose entire balance is expendable. Don't bet your savings on being a better hacker than every last person out there who puts food on their table by black hatting!

                          Comment


                          • #14
                            Turtles all the way down

                            I guess now after the Heartbleed vulnerability in OpenSSL, lots of security researchers are going to examine OpenSSL.

                            I wonder if its turtles all the way down with new vulnerabilities exposed every week.

                            Comment


                            • #15
                              Private disclosure

                              Some days ago the bugs had been privately communicate to a list of linux distributions.

                              This is the timeline:

                              http://seclists.org/oss-sec/2014/q2/466

                              Comment

                              Working...
                              X